Huawei To US Government: Please Investigate Us

from the nothing-to-hide dept

Interesting strategy from China's telco networking giant Huawei in dealing with security fears from the US government: it's asking the US government to do a full investigation of the company to satisfy itself that there's nothing questionable going on. Obviously part of the idea is a PR move, to show that the company has nothing to hide, but it's pretty rare to see a company so openly ask a government to investigate it. I guess it's Huawei's attempt to call the US government's grandstanding bluff.

US: "We don't trust that you aren't installing backdoor access into your hardware that you are selling us."

China: "Trust us!!"

US:(in an uncommonly wise decision)"Umm... No... We asked security people and they ALL said it was a bad idea."

China:"Then come check us out... see how we don't do anything bad"

China to themselves:"Thats right... check us out once... and approve our hardware for your system critical infrastructure... which the Internet has now become.. then we'll insert backdoors into hardware we sell you later that we can use to spy, sabotage, etc. on you..."

As an aside... All they would have to do is use DRM techniques to hide "code"(instructions, but ehh...) in the hardware, and then have it start 'calling home' in 2 years. Not to equate all DRM with "Evil" China... But still imagine a hardware version of the Sony Root-kit on all the networkings switches installed at banks... or power pants...

Where your hardware is manufactured is an important issue. iPhones are only made in China... They are not approved by DoD use.. but Android phones are... Ever wonder why?

Re:

Re: Re:

Do you really think that we wouldn't audit ALL of these things looking for backdoors?
Hell, do you think that we don't do that with companies in the United States to make sure that there are not any backdoors?

With all due respect, it seems that you are extremely distrustful of China without realizing that they ALREADY make many consumer-level computer goods that are used as military-grade at many places.

China would NOT want the black eye from us finding out that they had put backdoors into the hardware and then have us remove all military hardware manufacturing from overseas and bring it back into the United States.

Re: Re: Re:

I don't think that's accurate...

China is quickly becoming a superpower and it could be that this gesture is to lull the US somewhat.

I'm not necessarily a conspiracy theorist, but I do have to wonder what they gain from this gesture. If the trust of the US to look the other way as China works to copy all of its technology for their own benefit is anything, I'd be very wary of something like this...

Re: Re: Re:

Now, let's play a thought experiment... How many pins are active on the p1? lets say 145 pins(for the sake of nice numbers) that over half of the pins aren't used for logic , and that only 128 pins are used for any type of logic/flow control.

Now.. It would take 2^(128) possible input combinations to test all possible inputs.

Now.. 2^(128) different combinations to test... hmm sounds like cryptographically secure to me

Now.. You have to try hundreds.. if not thousands.. of tests for each possible combination of each of these 2^(128) possible inputs...

I'm not sure this is the way to try and test this... (Especially if they put DRM in the chip to stop you from figuring this out, which would mean you are trying to break copyright...{yeah yeah... gov't can do that, but you get my point})

If you know how to do this, in some kinda of way that isn't exponential time... Then please let me know. Normal means to test for fault tolerances in IC isn't going to work b/c we aren't looking for "bad" data, where we know how the chip is designed, we are looking for backdoor access... which can be deeply buried in non-obvious logic areas.

OHHH and do this for every chip on every device every time you buy a device.
Perhaps I'm completely wrong... and the idea that "DRM"-like hardware being inserted into ICs but I don't think so.

I have friends who live in China, I am not attacking China, hence the "evil" in my comment, sorry for omission of -sark-mark- *sigh...*

And about the question of "Hell, do you think that we don't do that with companies in the United States to make sure that there are not any backdoors?" ... Um... Have we done this for MS Windows? Have we done this for... Sony Music CDs? Have we done this for...

I somehow doubt that this is S.O.P. for electronics (NSA/DoD... MIGHT be the exception, but I doubt it)

My original point was that we shouldn't trust production of system critical infrastructure to foreigners (no matter what country they come from). Due to it being too easy to inject some extra little "logic code" into ICs.(that doesn't even have to be on every device, one in a hundred is good enough for "bad" purposes)

From a less theoretical point of view, check out the Underhanded C contest: http://underhanded.xcott.com/ It's a contest to demonstrate how you can write code that is _meant_ to be audited, yet still do the opposite of what it seems to do. I've been in the business for a while, and it still impressed the hell out of me.

So - auditing can help, but it doesn't cut the muster. And, as has been pointed out, auditing today doesn't mean a lack of naughtiness tomorrow. Of course, sticking with US manufacturers doesn't mean that there aren't backdoors either...

Re:

No. But I do find it ironic that politicians on one hand say Chinese firms are not to be trusted because there's this adversarial relationship between China and US, then turn around complain that China has put restrictions on US firms operating in China.

Re:

Actually, you're wrong about the phones. The Army is set to approve the iPhone this month (may already have happened) for use with the Army level email systems. We have been told that Android likely won't be approved till May at the earliest. This is of course only valid for unclassified mail.

Re:

Huawei lead are jerks

Huawei should not be trusted, for many violations. First Huawei is not a public company because their finances are murky: they receive big gifts (~$10B) from the Chinese goverment to compete with oter telcos. This allows Huawei to buy market share by bidding below cost. These practices are ilegal but are not enforced. Second, Huawei copies everyting they consder will generate revenue.
Since chinese govenrment gives a lot of money to Huawei, they dictate the Huawei strategy. This is of course to compete and take th eUS out of business, and in particular weaken Us military superiority by stressing the US economy by selling Huawei equipment in the US.
Huawei does espionage, and they are hard to discover. They reverse engineer everything they can to compete.So why should US goverment trust them? There is no way we should. huawei treat its chinese employess in china like crap, so it is clearly doing business and keep cost low. However, chinese are very nationalistic andthey want to work for Huawei. Many Telco multinationals in china employ chinese engineers that then go to Huawei and transfer the intellectul property.
Also consider that Huawei spend little money in R&D beacuse they copy everything. Under mandate form chinese goverment, Huawei wants to dominate the world by putting out of bussines Ericsson, NSN and Alcatel-Lucent using predatory practices. They are filfhy and do not deserve US goverment trust.
In the long term it is foolinsh to let the chonese Telco equipment be sold to Verizon, AT&T an Sprint. If we have a war with China, our telecommunication infrastructure is completely compromized: wirless services (2/3/4G) and wireline services. Forget it, US carriers buying Huawei equipment is be a VERY stupid thing to do.

Seen my share of "Quality Control Audits' over the years...

When it comes to the subject, of "please audit us" - I tend to think about the myraid of ISO, QS, and other 'Quality Control' audits over the years I have worked. Frankly, Huawei is probably thinking this is going to be another 'Red Envelope' situation.